Linux: File Permission System

By Xah Lee. Date: . Last updated: .

This page is a tutorial on file permission system on unix/linux.

Unix File Permission System

Each File has One Owner

Here's a example of a file's permission when you do ls -al.

drwxr-xr-x   40 root  wheel     1360 May 13 08:50 bin
      ↑            ↑      ↑                          ↑
     perm         owner   group                   file name

On unix, a file has a “owner” attribute. Owner is a login account name. Each file has one owner. (directory is also considered a file in unix) In the above example, the owner of the file “bin” is a login name named “root”.

Each File has One Group

A file also has a “group” attribute.

A group is a set of login names, and can be setup by sys admins.

For example, if the machine has logins of {jone, mary, david, joe}, a sys admin can create a group named “engineers”, and the group member can be {joe, david}, and there can be another group named “sales”, with membership of {jone, david, mary}. There can be any number of groups. Each login name can be in multiple groups. “owner” name and “group” name can be the same, but there's no special connecton.

By default, unix creates several groups. A common one is “wheel”, which is meant as a group name for “root”. (typicall, this group is for sys admins.)

Summary:

For creating new {user, group}, listing {user, group}, or find out their id , see: Linux: Users and Groups

File Attributes: {read, write, execute} for {owner, group, other}

Every file also has a permission attribute. Basically, the possible permissions are:

Together, these make a permission set, shown as “rwx”.

For each file, there are 3 sets of rwx permission. One is associated with the file's “owner”, one is associated with the file's “group”, and another is associated with special name called “other”, which means all those who are not owner or in the group).

So, typically, when you do ls -l in unix, you will see a lines like:

drwxr-xr-x   40 root  wheel     1360 May 13 08:50 bin
      ↑            ↑      ↑                          ↑
     perm         owner   group                   file name

The “d” means it's a directory. You'll see 3 sets of “rwx” after it.

r
Read perm bit is on.
w
Write perm bit is on.
x
Execute perm bit is on.
-
Bit is off.

Notice in the above example, the directory “bin” also have the execute bits on (the “x”) for all {owner, group, other}. That is because, in order to list directory content, the directory not only needs the read permission on, but due to unix idiosyncrasy, it must also have the execute bit on. (unix perm system is badly designed.)

Here's another example showing different users and groups.

macos terminal root dir 2020-01-11 8nn85
macOS terminal root dir 2020-01-11

For example, let's look at this line

drwxr-xr-x@  10 root  wheel      340 Nov 28  2017 usr

The @ sign is MacOS only. It means the file has extended attribute.

[see MacOS Extended Attribute, At sign @ in ls]

Changing File's Owner/Group

chown userName fileName
Change file fileName's owner to userName.
chgrp groupName fileName
Change file fileName's group to groupName.

To list existing users and groups, see: Linux: Users and Groups

Changing File's Permissions

chmod octal_number fileName
Change permission on a file.
umask octal_number
Set a default permission bits for newly created files.

These commands use 3 octal digits to specify the 3 sets of perm bits. See man chown, man chgrp.

# set mycat.jpg file's perm to 644, which is rw-r--r--
chmod 644 mycat.jpg

Memorize Perm Bits Octal Conversion

Here's how to memorize the perm in octal:

So, add them together. For example, if you want “r--”, then that's 4. if you want “r-x”, then that's 5. Do this for each of the {owner, group, other} perm set, then you get 3 digts. For example, “rw-r--r--” is 644.

644 is the most common for files. 755 is the most common for dirs.

Change Multiple Files Perm in Batch

To change multiple files in batch, you can use the command find to traverse a dir. Example:

# set all files under current dir to 644, which is rw-r--r--
find . -type f -print0 | xargs -0 -l -i chmod 644 '{}'
# set all dirs under current dir to 755, which is rwxr-xr-x
find . -type d -print0 | xargs -0 -l -i chmod 755 '{}'
# set all file owner in current dir to xyz
find . -type f -exec chown xahlee {} ';'

[see Linux: Traverse Directory: find, xargs]

Linux Shell Basics

Sys Admin

Bash/Terminal

Linux Desktop